Hospitals are faced with the following challenges:
- Ad-hoc IT environments – Technology that is ordered by IT, clinicians, and administrators
- Internal politics – Finance, IT, human resources, and medical departments all have their own priorities and are competing for budget dollars for their own agendas
- Regulatory pressures – Regulation from CMS and HHS is ever-increasing
- Patient-centered care – Hospitals exist to provide excellent care for patients, but they must also generate a positive net revenue to survive
Furthermore, cybersecurity incidents are a growing threat to hospitals. The healthcare industry, in general, has tended to lag behind other industries in terms of protecting data of its key stakeholders (patients) and reducing the likelihood of cyber incidents.
So how do hospitals, especially smaller hospitals, drive cybersecurity initiatives given the inherent challenges they face? In a word: prioritization.
Here’s our top-three list of cybersecurity priorities for small hospitals and healthcare facilities…
1.Security awareness training
Every year for the last decade, the Verizon Data Breach Investigation Report has shown end users as the single most risky factor to hospitals’ cybersecurity posture is end users. End users click phishing emails and contract malware. End users inadvertently wire money to unauthorized third parties. End users open files they shouldn’t and send data where it shouldn’t go. Hospitals are required under HIPAA to train their users on securely handling protected health information. Security awareness training is both the most impactful and also the least-expensive cybersecurity measure to implement for small hospitals.
What happens when an end user clicks a phishing email and opens a malicious attachment? That attachment, usually a Microsoft Word document or PDF, will run code that attempts to find a weakness on the user’s computer and gain a foothold into the network. By performing a vulnerability assessment, hospitals can find these weaknesses and address them, thus rendering malicious attachments useless.
3.Incident Response Plan
Less than half of hospitals perform cybersecurity incident response exercises annually. Incident response plans are what help hospitals respond to a cybersecurity incident in a logical, structured fashion. The goal of an incident response plan is to restore data and systems as quickly as possible. Without an incident response plan, and without testing the plan annually, hospitals are at a heightened risk of extended downtime and heavy fines.